Hacking the Professor

By

Chief information security officers often keep an eye on network traffic coming from outside their institutions to ward against malicious attacks, but what about the ones (literally) at their fingertips?

Florida International University this week reported such an incident after an alumnus and two students last year gained access to a professor’s computer, found tests before they were given, and began selling exam answer keys for $150. The article doesn’t specify how the former student was able to access the exams, only that she “logged into a professor’s email account.” University officials did not respond to a request for comment on Wednesday.

The case at FIU -- and several similar cases at campuses across the country over the last few years -- represent a second front for information security officers. While their focus is often on bolstering the institution’s defenses against attempts to bypass their firewalls, these types of attacks occur within the network and require a different set of security measures.

In some cases, security breaches can be avoided with common sense, such as not picking an easily guessable password. A team of researchers from Trustwave, an information security company, recently stumbled upon more than 2 million compromised accounts -- emails, software credentials and login information from sites such as Google, Facebook and LinkedIn, among others.

“Unfortunately, the most commonly used passwords were far from what your [security officer] would like to see,” the researchers wrote.

That’s being generous. More than three-quarters of the passwords were rated “medium” or worse, and the most popular password -- used by almost 16,000 accounts -- was “123456,” followed by “123456789,” “1234” and, of course, “password.”

By some analyses, the situation is worsening. “Back in 2006 the top 10 most common passwords comprised only 0.9 percent of the total count. Today, in 2013, they add up to 2.4 percent,” the researchers wrote, blaming the growth on lax password complexity requirements. “If our hypothesis is true, then the inevitable conclusion is that people still choose comfort over security. If you don’t enforce a password policy, don’t expect your users to do it for you.”

But no matter how many capital letters and symbols a password contains, a hacker using a keylogger need only wait until the target logs into the right account.

Keyloggers record keyboard button presses, capturing everything from tweets and web browsing to usernames, passwords and credit card information. They come in hardware- and software-based forms, the latter of which are often caught by campus security networks when they attempt to upload keystroke reports to an email account or server that can be accessed by the hacker.

Physical keyloggers, however, are becoming increasingly difficult to spot, said David Shaw, chief information security officer of Purdue University. Older versions were simply plastic devices connected between the computer and the keyboard, but earlier this year, Purdue discovered an engineering student had installed keyloggers in the actual keyboards in professors’ classrooms and offices. The student had used the information gained from the keyloggers to change more than two dozen grades.

“The interesting thing about that particular incident is it really highlights the need or the tide between physical security and IT security,” Shaw said. “I don't think there’s a perfect detection method out there for this stuff, but the fact that [the students] went to a place where they broke into a physical office says something about our level of detection. But it also speaks somewhat to the targeted approach as well. They were specifically going after faculty they dealt with.”

A similar case took place last year at the University of Illinois at ​Urbana-Champaign, where a student peddled exam solutions ahead of the actual test. An investigation found keyloggers installed in several of the keyboards in a campus laboratory.

“Especially in a large institution, it’s hard to keep an eye on,” said Michael Corn, who was the chief information security officer at Illinois at the time. “Someone comes into their office, their keyboard has been replaced -- how are they going to notice it?”

The hunt for hidden keyloggers have spawned some creative solutions. Keyloggers grow warmer as they collect data, meaning a normal keyboard viewed through an infrared camera looks different than one containing one of the devices. Corn also noticed that traces of keylogging could be found in the Windows Registry, where the operating system stores configurations.

Purdue, meanwhile, considered sealed and tamper detecting keyboards.

“There’s no magic bullet for this,” Corn, now the chief information security officer and deputy CIO at Brandeis University, said. “Students are getting more savvy, they’re getting more and more exposed to hacking. That has to have an impact on how students think.”

Both Corn and Shaw suggested universities consider two-step verification, a security measure that renders keyloggers virtually harmless. In addition to asking for a password, the additional layer of security also involves inputting a time-sensitive, randomly generated password. If that password is generated on a different device, such as through a cell phone app or security token, a hacker can obtain a password and the code but miss the seconds-long login window.

Corn said he preferred two-step verification be offered on an opt-in basis, but that it be made a requirement to access financial information and learning management systems. Those systems, such as Blackboard Learn, Instructure’s Canvas and Desire2Learn’s Learning Suite, don’t offer two-step verification out of the box. Blackboard offers the feature as an extension, and a spokeswoman also said the most recent major release of Learn contained more security updates than any preceeding it. Desire2Learn integrates with third party systems to offer two-step verification.

“Let’s face it: These are the exceptions, not the norm,” Corn said about incidents involving keyloggers. “You really don’t want to build your rule set around the exceptions.”